Systems, methods, and computing platforms for executing credential-less network-based communication exchanges
US-12184638-B2 · Dec 31, 2024 · US
Credential management
US9544292B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9544292-B2 |
| Application number | US-201514963760-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 9, 2015 |
| Priority date | Sep 27, 2013 |
| Publication date | Jan 10, 2017 |
| Grant date | Jan 10, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A credential management system is described that provides a way to disable and/or rotate credentials, such as when a credential is suspected to have been compromised, while minimizing potential impact to various systems that may depend on such credentials. The credentials may be disabled temporarily at first and the availability of various resources is monitored for changes. If no significant drop of availability in the resources has occurred, the credential may be disabled for a longer period of time. In this manner, the credentials may be disabled and re-enabled for increasingly longer time intervals until it is determined with sufficient confidence/certainty that disabling the credential will not adversely impact critical systems, at which point the credential can be rotated and/or permanently disabled. This process also enables the system to determine which systems are affected by a credential in cases where such information is not known.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer implemented method, comprising: at a credential management system including at least one processor and memory, the memory communicatively coupled to the at least one processor and storing instructions, the at least one processor executing the instructions to perform the operations of: identifying a credential in a set of credentials corresponding to a user, the user authenticated to access a first computing resource based at least in part on the credential, wherein the credential is identified as suspect or identified as being in need of at least one of rotation, renewal, or permanent disablement; after identifying the credential, disabling the credential for a first period of time; monitoring an availability of a plurality of second computing resources for the first period of time while the credential is disabled; and determining, by the at least one processor of the credential management system, whether to re-enable, renew, rotate, or permanently disable the credential based at least in part on the availability of the second computing resources and an availability threshold associated with the second computing resources. 2. The computer implemented method of claim 1 , further comprising re-enabling the credential based at least in part on the availability of at least one of the second computing resources decreasing below the associated availability threshold during a first time interval. 3. The computer-implemented method of claim 2 , further comprising disabling the credential based at least in part on the availability of the at least one second computing resource remaining above at least the associated availability threshold during a second time interval, the second time interval being longer than the first time interval. 4. The computer-implemented method of claim 3 , further comprising re-enabling the credential based at least in part on the availability of the at least one second computing resource remaining unchanged for at least one of the first time interval or the second time interval. 5. The computer implemented method of claim 3 , further comprising: disabling the credential for a second amount of time based at least in part upon the availability of the at least one second computing resource remaining above at least the associated availability threshold during both the first time interval and the second time interval, the second amount of time longer than the first amount of time, first time interval, or the second time interval. 6. The computer implemented method of claim 1 , wherein identifying the credential further comprises: arranging the set of credentials based on permissions associated with each credential; and selecting the credential based on the permissions. 7. The computer implemented method of claim 1 , further comprising: generating a second version of the credential to replace the credential based at least in part on the monitoring of the availability of one or more of the plurality of second computing resources. 8. A computing system, comprising: at least one processor; and memory including instructions that, when executed by the at least one processor, cause the computing system to: monitor an availability of one or more computing resources accessible using a credential of a set of credentials corresponding to a user, the credential having an expiration time period and capable of being used to authenticate against one or more authentication systems to access the one or more first computing resources, wherein the credential is identified as suspect or identified as being in need of at least one of rotation, renewal, or permanent disablement; disable the credential for a first time interval, the first time interval shorter than the expiration time period; determine that the availability of one or more second computing resources related to the credential remain at least at a minimum threshold while the credential is disabled; and disable the credential until a change in the availability of one or more second computing resources is detected. 9. The computing system of claim 8 , wherein the instructions when executed further cause the computer system to: re-enable the credential in response to at least one of detecting a change in the availability of the one or more second computing resources or an expiration of a second time interval. 10. The computing system of claim 9 , wherein the instructions when executed further cause the computer system to: determine that the availability of the one or more second computing resources remained at least at the minimum threshold during the second time interval during which use of the credential was disabled; disable the credential for a third time interval that is longer than the second time interval; determine that the availability of the one or more second computing resources remained at least at the minimum threshold during at least the second time interval and the third time interval; and permanently disable the credential. 11. The computing system of claim 8 , wherein the instructions when executed further cause the computer system to: detect that the availability of a critical second resource has decreased below the minimum threshold; and re-enable the credential in response to detecting that the availability of the critical second resource has decreased. 12. The computing system of claim 8 , wherein the credential is disabled for a third time interval longer than the first time interval as the expiration time of the credential approaches. 13. The computing system of claim 8 , wherein the instructions when executed further cause the computer system to: re-enable the credential in response to detecting a disruption in the availability of the one or more second computing resources prior to the end of the first time interval. 14. The computing system of claim 8 , wherein disabling the credential includes: determining a confidence metric of the credential based at least in part on the availability of the one or more second computing resources. 15. A non-transitory computer-readable storage medium storing instructions that, when executed by at least one processor of a computing system, causes the computer system to: select a credential of a set of credentials corresponding to a first user, the credential capable of being used to authenticate against one or more authentication systems to access one or more first computing resources, the credential being identified as suspect or identified as being in need of at least one of rotation, renewal, or permanent disablement; disable the credential for a time interval; monitor an availability of one or more second computing resources related to the credential; maintain the credential as disabled if the availability of the one or more second computing resources remains above at least a minimum threshold during the time interval; and maintain the credential as disabled until a change in the availability of the one or more second computing resources. 16. The non-transitory computer-readable storage medium of claim 15 , wherein the instructions to monitor the availability of the one or more computing resources when executed further cause the computing system to: determine an availability of the one or more second computing resources based at least in part on information contained in one or more logs. 17. The non-transitory computer-readable storage medium of claim 15 , wherein the instructions when executed further cause the computing system to: detect that the availability of a critical second resour
Assignees
Inventors
Classifications
Entity profiles · CPC title
- H04L63/08Primary
for authentication of entities (cryptographic mechanisms or cryptographic arrangements for entity authentication H04L9/32) · CPC title
Applying verification of the received information (cryptographic mechanisms or cryptographic arrangements for data integrity or data verification H04L9/32) · CPC title
for controlling access to devices or network resources · CPC title
using revocation of authorisation · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9544292B2 cover?
- A credential management system is described that provides a way to disable and/or rotate credentials, such as when a credential is suspected to have been compromised, while minimizing potential impact to various systems that may depend on such credentials. The credentials may be disabled temporarily at first and the availability of various resources is monitored for changes. If no significant d…
- Who is the assignee on this patent?
- Amazon Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/08. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jan 10 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).